http://www.informationweek.com/news/showArticle.jhtml?articleID 2400629 

By Thomas Claburn
InformationWeek
October 9, 2007

Microsoft (MSFT) on Tuesday released six security bulletins, half of 
which have an effect on Windows Vista.

"Three of the bulletins impact Vista," said Eric Schultze, chief 
security architect, of St. Paul, Minn.-based Shavlik Technologies. 
"That's not a really good track record for an operating system that 
Microsoft thought was going to secure the world."

Pointing to Windows Vista patches this month and in previous months, 
Schultze said, "I don't think Vista has had quite the impact that 
Microsoft hoped it would in staving off the need to patch your OS."

Of the six security updates published Tuesday, four are rated "critical" 
and two are rated "important." "This is a little larger this month than 
average," said Schultze. "Obviously, the big news goes toward bulletin 
057, which is for Internet Explorer. The Internet Explorer patch goes 
toward addressing a lot of previously known public vulnerabilities. So 
you'll want to patch the IE issue pretty quickly for all of your 
Internet browsing machines."

"Today's Microsoft patches emphasize the need for proactive browser 
protection and the risk of surfing the Web unprotected," said Dave 
Marcus, security research and communications manager at McAfee Avert 
Labs, in an e-mailed statement. "Many of the vulnerabilities addressed 
by the fixes could be exploited if a Windows user simply clicks a 
malicious Web link, a favorite attack method among cybercriminals. Users 
need to be more careful than ever when surfing the Internet."

Though bulletin 058 is only rated "important" -- the "critical" 
designation is typically reserved for flaws that allow remote code 
execution -- Schultze nonetheless said the IE fix should be dealt with 
immediately.

"The other big one that I think it really critical to do is bulletin 
058, which Microsoft calls the RPC denial of service," said Schultze, 
who explained that it could be used to conduct denial of service 
attacks. "This one will be really critical for network administrators 
and corporations to protect all of their assets on their internal 
network... from disgruntled employees."

Schultze said there is no exploit currently circulating for this bug but 
he expects there will be one within a week.

The other critical bulletins address flaws in Kodak Image Viewer, 
Outlook Express and Windows Mail, and Microsoft Word that could allow 
remote code execution. Bulletin 059, rated "important," addresses a 
vulnerability found that impacts Windows SharePoint Services 3.0 and 
Office SharePoint Server 2007.

Microsoft had expected to release seven updates Tuesday, as stated last 
Thursday through its Advance Notification Service (ANS).

Tami Gallupe, Microsoft Security Response Center release manager, 
explained in a blog post, "As previously communicated, the ANS is always 
subject to change. We decided to remove one of the updates from the 
release schedule due to a quality control issue, so we can resolve that 
issue prior to releasing the update to customers."


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com